search

twendelmuth / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

html5 data-* tags are not allowed but should be #159

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
Take any html with data attributes like
<div data-one="1" data-two="2">test</div>
and run it through antisamy. The attributes will be stripped out as if they are 
invalid.

It is also not possible to specify a rule which will allow all attributes that 
are variable.

What is the expected output? What do you see instead?
Antisamy should allow data-* attributes since they are part of the html5 spec 
and also are not processed by the browser so should not provide any attack 
vectors.

What version of the product are you using? On what operating system?
Using antisamy 1.5

Original issue reported on code.google.com by azeckoski on 28 Mar 2013 at 11:39

GoogleCodeExporter commented 8 years ago 
I have cloned the antisamy project and have added functionality to allow 
dynamic tags.

The repo is here: https://code.google.com/r/teetoppz28-antisamy

Let me know if you have any questions.

Original comment by teetopp...@gmail.com on 24 Apr 2013 at 7:51